Monday, 20 October 2014

You need to
read the latest resolution of the international conference of data protection
and privacy commissioners on enforcement cooperation a couple of times before
much of its meaning becomes apparent.

It may be
just over 900 words long, but crystal clear it aint.

It recalls
previous resolutions from the 29th, 33rd, 34th
and 35th conferences and the Montreux Declaration from the 27th
Conference. It recalls earlier decisions to set up an International Enforcement
Coordination Working Group, and notes that the Working Group reported back with
six recommended co-ordination principles.

It further
notes that the previous conference mandated the Working Group to “work with
other networks to develop a common approach to cross border case handling and
enforcement co-operation, to be expressed in a multilateral framework document
addressing the sharing of enforcement-related information, including how such
information id to be treated by recipients thereof, and that this work was not
intended to replace existing national and regional conditions for sharing
information, or to interfere with similar arrangements by other networks.” It also notes progress on developing “arrangements for cross-border cooperation in the enforcement of laws protecting privacy, including efforts by APEC, the data protection authorities of the Article 29 Working Party, the OECD, the Council of Europe, the network of Francophone authorities, the Ibero-American network and the Global Privacy Enforcement Network (GPEN)” The resolution goes on (and on, and on) until you get to to (perhaps the most significant bit, which is “To support the development of a secure
international information platform which offers a ‘safe space’ for members of
the International Conference and their partners to share confidential
information and, to facilitate the initiation of coordinated enforcement action
and, complement other international enforcement coordination mechanisms, adding
value to the international enforcement operational framework.” What (slightly) surprises me is why, after some 36 international
meetings, it is still necessary for privacy commissioners to bang on about the
need for international co-operation amongst themselves.

Why do they need additional mandates to facilitate a greater sense of
working together – is it because some regulators find it hard to cooperate with
others? They all ought to be working together anyway, and it would be scandalous
if they weren’t.

Or is it because they need to send more messages to data controllers to
reassure them that scarce tools and resources are being pooled, and that,
perhaps one day, they may be sufficient to deal with the behemoths that seek to
transgress?

Footnote:

The
reference in the resolution to the sharing of confidential information caught
my attention, particularly as the Data Protection Act has a few things to say
about this.

Section 54 of the DPA provides a gateway for
the ICO to exchange some information with supervisory authorities in the colonies,
other EEA States or with the European Commission. The Act does not refer to
cases where it may be prudent to share information with authorities elsewhere
around the globe.

Section 59 places various constraints on the ability of the ICO to
disclose certain types of confidential information. Presumably, the
Commissioner will argue that any disclosures for fellow regulators of
information supplied to it in confidence will be lawful as the disclosure will,
of necessity, be in the public interest.

Friday, 17 October 2014

An animated conversation broke out at a
recent meeting of the Crouch End Chapter of the Institute of Data Protection.
Members were discussing the differences between data protection and privacy.
Eventually, we decided that data protection was relatively easy to define. It referred to legal controls over access to and use of data stored (mostly) in

computers.

Privacy, on the other hand, was harder to pin
down. It was multi dimensional, best described in terms of:

Privacy of personal information. This is any
information relating to an individual, who can be identified, directly or
indirectly, by that information and in particular by reference to an
identification number or to one or more factors specific to their physical,
physiological, mental, economic, cultural, locational or social identity.
Privacy of personal information involves the right to control when, where, how,
to whom, and to what extent an individual shares their own personal
information, as well as the right to access personal information given to
others, to correct it, and to ensure it is safeguarded and disposed of
appropriately.

Privacy of the person. This is the right to
control the integrity of one’s own body. It covers such things as physical
requirements, health problems, and required medical devices.

Privacy of personal behaviour. This is the
right of individuals to keep any knowledge of their activities, and their
choices, from being shared with others.

Privacy of personal communications. This is
the right to communicate without undue surveillance, monitoring, or censorship.

So, there you have it. If you ever needed a conversation stopper at a drinks party, you can ask your chums for their views on the difference between data protection and privacy.
Many thanks to the member who recalled the great work on privacy that Roger Clarke has carried out in this area. Image credit:http://www.hyperfiction.org/graphics/screen-silhouette2.jpg

Thursday, 16 October 2014

No, I’m not in Mauritius at the
international conference of data protection and privacy commissioners.

I have, however, been following some of the
proceedings on the internet. The conference organisers helpfully realised that
not all interested parties would be able to travel to the tropical paradise
island of Mauritius, so they provided a live webcast.

The usual suspects are in attendance,
including a strong contingent from the UK, led by Commissioner Christopher
Graham, the mighty Eduardo Ustaran and the GSMA’s privacy guru, Pat Walshe. All
are suitably dressed for a formal business occasion. No shorts or T-shirts in sight. Despite the
fact that the beach is so close. They are evidently taking the event very
seriously.

The conference's colourful logo is quite apt. In just a few strokes, the illustrators have drawn the national bird of Mauritius, the dodo. Let's hope that the challenges of an ever richer data environment won't overwhelm citizens and destroy their trust in data controllers, in the same way that a new environment overwhelmed the dodo.

Here are my favourite conference quotes:

“Milk expires – and so does data.”

“We are not in a completely safe and sustainable privacy world.”

“There are a lot of analogies between
chemistry and big data.”

“[Especially] in the context of big data,
we need an efficient and effective provision of public services.”“My biggest concern is the concept of digital pre-destination - where the data defines who we are going to be, rather than we allowing ourselves to be who we are going to be.”

“How do you build ethics into algorithms? –
should your driverless car kill you to save 2 other people? After all,
eventually, smart cars will know how many passengers are in each car.”

“[In relation to the problems faced over the past decade by data protection officers and regulators with respect to addressing issues relating to transparency and new technologies] everything old is new again.”“My children were programming code before they were allowed to use steak knives at the kitchen table. That shows you my approach to risk management.”

“[Said a former data protection regulator to fellow regulators] You will never reach your destination if you throw stones at every dog that barks.”“Accountability - we don't even know how to translate that in French.”

For many, perhaps, the most significant remark of today was made by one of the conference organisers:

“The venue for this evening’s rum cocktail
has moved, from Sugar Mountain to the fountain.”

Tuesday, 7 October 2014

At the Royal Court Theatre last night, the audience and I were left with
the impression that internet security is a luxury that all too few of us will
ever be able to afford.

Why?

Because we were seeing a magnificent play which charted, in the broadest
of terms, the rise of the hacktivist group Anonymous, and the fall of members
of a related group called LulzSec.

If you want to appreciate how a small group of exceptionally talented
individuals can cause havoc, when they try, or shed much-needed light on secrets
that large institutions have tried so hard to conceal, then this is the play
for you.

As Dominic Cavendish put it: “at
last, we have a play fit for the bewildering online times in which we live. Tim
Price’s Teh Internet is Serious Business (the misspelling is knowing, btw, as
is much else) takes us inside the strange world of the hacker, at once solitary
and part of a sort of surrogate family.”

And as John Nathan remarked: “crucially the show reveals how our lives,
institutions, values and laws are at the mercy of a group of talented but
unruly teens - sometimes for good, at others, for ill.”

It made me realise how much we rely on those who provide us with our own
on-line security products to go that extra mile to keep up with the very latest
advances in digital protection. It made me appreciate how much so many
organisations have relied on software developers who, because of the speed with
which they have been required to deliver products, have not been able to fully
assess all potential vulnerabilities.And it made me think even more carefully about the motivations of those
who attempt to test to the very limits the security controls that currently
exist. These people will not necessarily do it with evil intent. They may not
even appreciate the gravity of what they are doing – until the digital locks
have been broken and much-valued secrets are secret no more.

I’m planning to attend a meeting of Parliament’s Intelligence and
Security Committee next week, to offer my views on the appropriate balance
between our individual right to privacy and our collective right to security. I
do hope that many of the Committee members manage to pop over to the Royal
Court to soak up some of the exuberance, anarchy and occasional naivety of some
of those who have such strong hactivist skills. The play is running until 25 October, so there is time, if any are so minded.

If they do see it, then they may realise that its not only the intelligence Agencies’ use
of intrusive surveillance capabilities, and the adequacy of the existing
legislative framework that governs this issue, that requires a review. What’s also
required is a more fundamental review into the consequences of a truly
interconnected world.

If I’ve learnt anything from last night, it’s the need for organisations to consider
building even more physically separate systems, rather than relying on security
to be provided primarily by means of specially designed software. Certainly, they need consider the merits of creating air gaps within their
own IT systems. Does every large organisation need to rely on a single set of
connected servers? Cyber attacks are here to stay.

About Me

I'm Martin Hoskins, and I started this blog to offer somewhat of an irreverent approach to data protection issues. As time has passed, the tone of my posts have become more serious.
I'm not a "high priest" of data protection. I focus on the principles of transparency, fairness, practicality, risk-assessment and pragmatism when dealing with issues, rather than applying every aspect of every data protection rule.
While I may occasionally appear to criticise various organisations with which I am or have been associated, I write here in an entirely personal capacity, so these comments should never be taken to represent anyone else's views on what I write about.
I occasionally tweet as @DataProtector.
You can contact me at:
info@martinhoskins.com.